Vulnerability Management Isn't Just a Numbers Game

Attackers work 24/7, so you have to be vigilant around the clock. Time for some game theory.

Organizations will be quickly overwhelmed if they try to treat all vulnerabilities equally. Given the sheer volume of vulnerabilities, limited resources, and varying objectives across the teams involved, effective cybersecurity requires the ability to view vulnerabilities in the proper context and prioritize them accordingly for treatment — whether to remediate or mitigate or accept the risk.

Redefining "Vulnerability"For starters, organizations must establish what it means to say they have a vulnerability. Vulnerabilities are often defined and interpreted in a silo or vacuum that fails to consider other relevant factors such as availability of exploits, threat actors, motivation, etc. Thus, the reality is that a vulnerability is only as bad as the threat exploiting it and the potential impact that a successful exploit could have on an organization or business.

Organizations often focus on CVSS (Common Vulnerability Scoring System) and CVE (Common Vulnerabilities and Exposure) numbers to rank or prioritize vulnerabilities, but neither can be used by itself to effectively manage vulnerabilities.

CVSS measures the severity of a vulnerability but does not consider risk. It represents a worst-case scenario of the extent of the impact or damage if the vulnerability is successfully exploited but not how plausible it is that the exploit will occur. The CVE is even less useful from a risk management perspective because it is just a naming convention or library for identifying unique vulnerabilities.

Context Is Key for Prioritizing VulnerabilitiesA vulnerability can be severe but be a low risk, or a vulnerability can be high risk but not severe. The two terms are not interchangeable, and it's important to understand the difference.

IT security teams tend to focus on the most recent vulnerabilities — especially high-severity vulnerabilities. Attackers, on the other hand, don't necessarily prioritize based on severity. They have nothing to prove. Attackers are generally focused on ease of exploitation, and high return on investment. Many attacks target old vulnerabilities for which patches have existed for months or years because attackers can just buy an exploit, or make use of an existing exploit tool and automate the process of discovery and exploitation. Attackers tend to take an industrialized approach toward launching attacks.

Game Theory and Vulnerability ManagementOne of the biggest fallacies when it comes to vulnerability management is that it's a numbers game. Many organizations have a skewed, metric-driven approach to vulnerability management that creates the illusion of progress and success while leaving the company exposed to significant risk.

If there are 1,000 vulnerabilities detected and the IT security team manages to patch (or remediate) or mitigate 990 of them, they've closed 99% of the vulnerabilities. At face value, that sounds impressive, but attackers only need one exploitable vulnerability to get into the enterprise network. The real questions are: What are the 10 vulnerabilities that are left, and what is the potential impact the organization faces if one of them is successfully exploited?

Instead of viewing vulnerability management as a numbers game and measuring success based on an arbitrary percentage of the total vulnerabilities detected, organizations should view vulnerability management as a function of game theory.

What do I mean by that? Game theory uses rational choice theory along with assumptions of adversary knowledge in order to predict utility-maximizing decisions. It allows someone to predict their opponents' strategies. Applying game theory to vulnerability management is a more effective and practical strategy than just counting vulnerabilities.

There are a variety of factors to consider to effectively prioritize vulnerabilities and maintain effective vulnerability management. IT security teams must consider and negotiate multiple factors — vulnerability severity, asset criticality, asset accessibility, mitigating controls, potential impact, etc. and think tactically about the opponent to develop a successful strategy.

Continuous Vigilance Is CrucialThe final piece of an effective vulnerability management strategy is that it has to be continuous. Running a monthly — or even a weekly — vulnerability scan to identify vulnerabilities to address only provides a snapshot of that moment in time.

Attackers don't work on a weekly or monthly schedule. The Internet is global, and it's 10 a.m. somewhere all the time. Attackers work around the clock, so your vulnerability management efforts have to be vigilant 24/7.

Having an understanding of how to consider context when prioritizing vulnerability remediation efforts, a strategy based on game theory rather than treating vulnerability management as a pure numbers game, and a system of continuous vulnerability monitoring will help you reduce your attack surface and improve your security posture.

Prateek Bhajanka (CISA, CEH) is a VP of Product Management, where he is responsible for product definition, road map, marketing and strategy for the VMDR product offering. He has comprehensive experience in the security domain, where he has played roles across the board, ... View Full Bio